Login Security Question

I have read through a bunch of a Defender threads and realize that login security for defending brute force attacks is already on the development board. However, can you recommend a current plugin that is multisite friendly for dealing with brute force attacks. I don't want to make logging in more difficult for my legitimate users but would like to block hackers/bots after a few attempts.

Any suggestions would be greatly appreciated.

Pat

  • Tyler Postle

    Hey wlpdrpat,

    Yes, Brute Force protection will be in the next release of Defender. It's getting an extensive round of beta testing right now, so it should be in the release pipeline very soon :slight_smile:

    As for an interim solution. Do you use Jetpack at all? It comes with a "Protect" module that will protect against brute force attacks, on a Multisite just make sure that Jetpack is network enabled.

    Hope that helps! If you have further questions in the meantime just let us know.

    Cheers,
    Tyler

  • wlpdrpat

    Tyler Postle

    Jetpack?!?! I haven't used it in a long time because it is such a pain in the _ _ _. Has it improved dramatically or is is still a massively bloated plugin where setup involves creating an account on wordpress.com for every freakin' site on multisite to get it to work?

    If I am wrong and Jetpack is now awesome - please let me know.

    I was really hoping there was something less intrusive and bloated that didn't involve a bunch of duplication too. Defender is so close to providing a complete solution for security. I was just hoping that a simple light plugin for login security would be sufficient to compliment it.

    So far the login plugins I have tested either duplicate the functions of Defender or include advertising splattered all over the site after activation. Frustrating.

  • wlpdrpat

    Tyler Postle

    Well I took your advice and tried installing Jetpack and they have definitely improved it for multisite as the setup was rather straight forward by comparison to my previous experience - although it still took more than 2 hours to complete all the sites in my network (180). However, a couple of major problems surfaced after activation:

    1. Jetpack network admin menu covers the WPMU Dev network admin menu (serious bummer).
    2. Adding Jetpack and network activating breaks multisite file upload system (super serious bummer).

    I deactivated Jetpack and it didn't resolve the file upload problem (more serious bummer).
    I deactivated Defender and the file upload problem persists (now I am "F"ing pissed).

    Just thought you should know for future reference that Jetpack is a bad idea for multisite!!

    I will let you know when I find the fix for the file uploads breakage.

    Pat

  • wlpdrpat

    Tyler Postle

    I was able to fix the uploaded files not displaying by fully deleting both Defender and Jetpack plugins and rolling back modifications to wp-config.php.

    To try to duplicate the issue I reinstalled both and network activated both (checking the uploaded file issue at each step) and the issue does not duplicate.

    The issue occurs when initiating Defender's "Disable File Editor". (this is what changed the wp-config.php). For some reason it prints define( 'DISALLOW_FILE_EDIT', true ); above the first line.

    So it looks like this:

    define( 'DISALLOW_FILE_EDIT', true );
    <?php

    I moved this to the bottom of wp-config.php where I have added other define rules and it resolves the problem.

    Apologies for my upset language regarding Jetpack. However, it still covers up the network admin menu for WPMU Dev which is still a significant problem as I can't access the most important parts of my network admin.

    Pat

  • Tyler Postle

    Hey Pat,

    Sorry for the delay here.

    Can you let the dev team for Defender know about the issue with Disable File Editor? It was reproducible on my server and resulted in breaking the file uploads both times.

    It may be because I am using IIS. Possible suggestion would be to provide instructions for how to add the define to the wp-config for IIS setups similar to the Disable PHP for IIS.

    I've passed this onto our Defender developer. I tested on my site and it added it properly so yes it could be an issue specific to IIS setups.

    Apologies for my upset language regarding Jetpack. However, it still covers up the network admin menu for WPMU Dev which is still a significant problem as I can't access the most important parts of my network admin.

    No worries! I agree that JetPack is a bit overkill for just brute force protection, but being able to deactivate all other modules makes it a little bit better, I wasn't able to find any lighter solutions that work with Multisite; however, very soon you will be able to do away with JetPack altogether, once we add Brute Force Protection to Defender :slight_smile:

    As for the network admin menu item disappearing, are you referring to this spot:

    You can see mine is still showing up there, this is network activated too. There may be a third plugin that is part of the conflict on your site. You can deactivate all other plugins besides Jetpack and our Dashboard to confirm whether that is the case or not. Or if you don't mind living with it for a short while then we'll have the next Defender update out and you can trash JetPack :smiley:

    Cheers,
    Tyler

  • Bojan Radonic

    Hey Pat,

    Hope you don't mind me chiming in here :slight_smile:

    I'm not an expert with JetPack but after taking a quick look it appears that from what basic protection JetPack offers you should be safe to remove it. Defender offers more as it also provides 404 detection which means that it is checking for IP addresses that repeatedly request pages on your website that don’t exist.

    Hope this helps :slight_smile:

    Cheers,
    Bojan

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.